One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8598401 |
| Date de publication | 2024-10-15 20:34:16 (vue: 2024-10-15 21:12:45) |
| Titre | Silent Threat: Red Team Tool EDRSilencer Disrupting Endpoint Security Solutions (Recyclage) |
| Texte | ## Instantané L'équipe de chasse aux menaces de Trend Micro \\ a identifié Edrsilencer, un outil initialement conçu pour les opérations de l'équipe rouge afin de tester et d'améliorer les systèmes de sécurité en interférant avec les solutions de détection et de réponse (EDR).Cependant, les acteurs de la menace réorientent maintenant EDRSilencer pour échapper à la détection en bloquant le trafic EDR à l'aide de la plate-forme de filtrage Windows (WFP). ## Description L'outil identifie dynamiquement l'exécution des processus EDR et crée des filtres WFP pour bloquer leur communication sortante, ce qui empêche les solutions EDR d'envoyer une télémétrie ou des alertes sur leurs consoles de gestion.Cela peut permettre aux logiciels malveillants de rester non détectés sur un système. EDRSILENCER est efficace contre un large éventail de produits EDR, comme le montre sa capacité à bloquer la communication pour les processus non inclus dans sa liste codé en dur.Les filtres de l'outil \\ sont persistants, restants actifs même après les redémarrages du système.La chaîne d'attaque implique la découverte de processus, l'exécution de l'outil pour bloquer les processus EDR et l'escalade de privilège en configurant les filtres WFP.L'impact est significatif car les outils EDR sont rendus inefficaces, incapables d'envoyer une télémétrie ou des alertes, ce qui augmente le potentiel d'attaques réussies sans détection ni intervention.La Trend Micro Team a testé l'efficacité de l'outil \\ en l'utilisant contre leur propre agent de point de terminaison, confirmant qu'Edrsilecer pourrait bloquer avec succès les journaux à partir du point final.L'émergence d'Edsilencer comme moyen d'éviter les systèmes de détection et de réponse des points finaux marque un changement significatif dans les tactiques utilisées par les acteurs de la menace, améliorant la furtivité des activités malveillantes. ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace. - Allumez [Protection en livraison du cloud] (https://learn.microsoft.com/en-us/defender-endpoint/linux-preférences) dans Microsoft Defender Antivirus ou l'équivalent de votre produit antivirus pour couvrir rapidement les outils d'attaquant en évolution et et et les outils d'attaquant en évolution rapide ettechniques.Les protections d'apprentissage automatique basées sur le cloud bloquent la majorité des menaces nouvelles et inconnues. - Exécuter [EDR en mode bloc] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=Magicti_TA_LearnDoc)Le défenseur du point final peut bloquer les artefacts malveillants, même lorsque votre antivirus non microsoft ne détecte pas la menace ou lorsque Microsoft Defender Antivirus fonctionne en mode passif.EDR en mode bloc fonctionne dans les coulisses pour corriger les artefacts malveillants qui sont détectés post-abri. - Autoriser [Investigation and Remediation] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=Magicti_TA_LearnDoc) en mode automatisé complet pour permettre à Microsoft DefenderPour que le point final prenne des mesures immédiates sur les alertes pour résoudre les violations, réduisant considérablement le volume d'alerte. - [Activé] (https://learn.microsoft.com/en-us/defender-endpoint/enable-ctrelled-folders) Accès aux dossiers contrôlés. - Assurez-vous que [Protection de stimulation] (https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-Or-Manage-Tamper-Protection) est activé dans Microsoft Defender pour Endpoint. - Activer [Protection réseau] (https://learn.microsoft.com/en-us/defender-endpoint/enable-network-protection) dans Microsoft Defender pour le point de terminaison. - Suivez les recommandations de durcissement des informations d'identification dans la [vue d'ens |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | ### **© 2024 2024** 21562b1004d5/analystreport 365/security/defender 4b5e 5155 ability access accessed action active activities actors af74 after against age agent alert alerts all allow antivirus any are artifacts attack attacker attacks authority automated based behind block blocking breach breaches can chain changes client cloud com/en com/microsoft com/threatanalytics3/9382203e common communication configure configuring confirming consoles content controlled copyright could cover creates credential criterion customers defend defender delivered demonstrated description designed detect detected detection detections/hunting discovery disrupting distribution does dynamically edr edrsilencer effective effectiveness email emergence employed enable enabled encyclopedia endpoint endpoint/attack endpoint/automated endpoint/edr endpoint/enable endpoint/linux endpoint/prevent enhancing ensure equivalent escalation evade evading even evolving executable execution files filtering filters folder folders follow following from full hacktool:win64/edrblok hardcoded hardening however html https://learn https://security https://www hunting identified identifies immediate impact improve included increases ineffective initially interfering intervention investigation investigations involves its learndoc learning like list local logs lsa lsass machine majority malicious malware manage management marks means meet micro microsoft mitigations mode name=hacktool:win64/edrblok network new non not now ocid=magicti one operations outbound overview own part passive permission persistent platform post potential preferences premises prevalence prevent prevents privilege process processes product products prohibited protection protection#how protections queries range ransomware rapidly reboots recommendations recommends red reduce reducing reduction reference#block references remain remaining remediate remediation rendered reproduction repurposing reserved resolve response rights rule rules run running scenes security send sending settings shift significant significantly silent site snapshot solutions stealing stealth subsystem successful successfully surface system systems tactics take tamper team techniques telemetry test tested theft thereof threat threat: threats tool tools traffic trend trendmicro trusted turn unable undetected unknown unless us/defender us/research/24/j/edrsilencer us/wdsi/threats/malware used using view=o365 vision volume webmail wfp when which wide windows without works worldwide written xdr your |
| Tags | Ransomware Malware Tool Threat Prediction |
| Stories | |
| Move | 
|
Les reprises de l'article (1):
| Source | RiskIQ |
|---|---|
| Identifiant | 8598344 |
| Date de publication | 2024-10-15 19:57:54 (vue: 2024-10-15 20:18:18) |
| Titre | Beyond the Surface: the evolution and expansion of the SideWinder APT group (Recyclage) |
| Texte | #### Targeted Geolocations - Bangladesh - Djibouti - Jordan - Malaysia - Maldives - Myanmar - Nepal - Pakistan - Saudi Arabia - Sri Lanka - Türkiye - United Arab Emirates - Afghanistan - France - China - India - Indonesia - Morocco - Middle East - North Africa - Sub-Saharan Africa - South Asia - Southeast Asia #### Targeted Industries - Government Agencies & Services - Defense - Diplomacy/International Relations - Education - Higher Education - Financial Services ## Snapshot SideWinder, also known as T-APT-04 or RattleSnake, is a highly active advanced persistent threat (APT) group that has been targeting entities in South and Southeast Asia since 2012. Its primary targets have included military and government institutions in countries such as Pakistan, Sri Lanka, and Nepal. Recently, SideWinder expanded its reach, launching new attacks on strategic infrastructures and other high-profile entities in the Middle East and Africa. ## Description A hallmark of SideWinder\'s newly observed activities is its use of spear-phishing emails to deliver malicious files, often Microsoft OOXML documents or ZIP archives containing malicious LNK files. Once these files are opened, they initiate a multi-stage infection process, which ultimately installs the StealerBot espionage tool. This tool is designed for post-compromise activities, such as stealing sensitive information, capturing screenshots, logging keystrokes, and stealing credentials. SideWinder\'s tactics include exploiting vulnerabilities like [CVE-2017-11882](https://security.microsoft.com/intel-explorer/cves/CVE-2017-11882/) through malicious RTF files. The group also utilizes public exploits, malicious scripts, and remote template injection. Their malware employs multiple evasion techniques, such as detecting sandboxes and using encrypted payloads to avoid detection. SideWinder\'s infrastructure includes numerous domains and servers, often hosted on virtual private servers (VPS) for short periods of time. The group primarily targets government, military, and infrastructure sectors, as well as diplomatic entities in several countries. While much is known about their initial infection techniques, according to Kapersky, their post-compromise operations remain less well-understood. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Turn on [cloud-delivered protection](https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats. - Run [EDR in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Allow [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=magicti_ta_learndoc) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/enable-controlled-folders) controlled folder access. - Ensure that [tamper protection](https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-or-manage-tamper-protection) is enabled in Microsoft Defender fo |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | ### #### **© 0199 11882 11882/ 2012 2017 2024** 21562b1004d5/analystreport 365/security/defender 4b5e 5155 Honor Saudi about access according action active activities advanced af74 afghanistan africa against age agencies alert alerts all allow also aly angel antivirus any apt apt/114089/ arab archives are artifacts asia attack attacker attacks authority automated avoid based been behind beyond block breach breaches can capturing changes china client cloud com/en com/intel com/microsoft com/sidewinder com/threatanalytics3/9382203e common components compromise configure containing content controlled copyright countries cover credential credentials criterion culuntnited customers cve defend defender defense deliver delivered description designed detect detected detecting detection detections/hunting detects diplomacy/international diplomatic distribution documents does domains east edr education email emails emirates employs enable enabled encrypted encyclopedia endpoint endpoint/attack endpoint/automated endpoint/edr endpoint/enable endpoint/linux endpoint/prevent ensure entities equivalent espionage evasion even evolution evolving executable exist expanded expansion exploit:o97m/cve exploiting exploits explorer/cves/cve files financial folder folders follow following france from full geddesh geolotons government group hallmark hardening has have high higher highly hosted https://learn https://securelist https://security https://www immediate impact include included includes india indonesia industries infection information infrastructure infrastructures initial initiate injection installs institutions investigation investigations its kapersky keystrokes known lanka launching learndoc learning less like list lnk local logging lsa lsass machine majority malaysia malicious malware malware: manage meet microsoft middle military mitigations mode morocco msr mtb much multi multiple name=exploit:o97m/cve name=trojan:o97m/cve name=trojan:win32/acll name=trojan:win32/leonem name=trojan:win32/lnk nepal network new newly non north not numerous observed ocid=magicti often once ooxml opened operations other overview pakistan part passive payloads periods permission persistent phishing post preferences premises prevalence prevent primarily primary private process product profile prohibited protection protection#how protections public queries ransomware rapidly rattlesnake reach recently recommendations recommends reduce reducing reduction reference#block references relations remain remediate remediation remote reproduction reserved resolve rights rtf rule rules run running saharan sandboxes scenes screenshots scripts sectors security sensitive servers services settings several she short sidewinder significantly since site sjibout snapshot south southeast spear sri stage stealerbot stealing strategic sub subsystem such surface surface: tactics take tamper target targeted targeting targets techniques template theft thereof these threat threats through time tool tools trojan:o97m/cve trojan:win32/acll trojan:win32/leonem trojan:win32/lnk trusted turn ultimately understood unknown unless us/defender us/wdsi/threats/malware use used using utilizes view=o365 virtual volume vps vulnerabilities wave webmail well when which windows without works worldwide written xdr yard your zip |
| Tags | Ransomware Malware Tool Vulnerability Threat |
| Stories | APT-C-17 |
| Move |
|
L'article ressemble à 1 autre(s) article(s):
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
|
2024-10-17 18:58:40 | (Déjà vu) ClickFix tactic: The Phantom Meet (lien direct) | ## Snapshot Researchers at Sekoia released a report highlighting the ClickFix social engineering tactic and its use in a variety of malicious campaigns. ## Description In May 2024, a new social engineering tactic known as ClickFix was identified, involving fake error messages in web browsers to deceive users into executing malicious PowerShell commands. This method, first identified by Proofpoint researchers, has been leveraged by threat actors, such as the initial access broker TA571, in phishing campaigns. These campaigns trick users into downloading malware like Matanbuchus or NetSupport RAT via HTML files disguised as Word documents. Sekoia researchers have tracked the increasing use of ClickFix, which is now used in campaigns to spread infostealers, botnets, and remote access tools on both Windows and macOS. A significant cluster using this tactic impersonates Google Meet, with fake video conference pages distributing malware. Sekoia linked this activity to two cybercrime groups, "Slavic Nation Empire" (SNE) and "Scamquerteo," both part of larger cryptocurrency scam operations. ClickFix allows attackers to bypass browser security features, making it an effective tool for infiltrating systems undetected. Its use in targeting cryptocurrency assets, Web3 applications, and decentralized finance indicates a focus on high-value victims. This tactic may be further adapted for broader malware distribution, presenting ongoing risks to both corporate and individual users. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Turn on [cloud-delivered protection](https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats. - Run [EDR in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Allow [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=magicti_ta_learndoc) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/enable-controlled-folders) controlled folder access. - Ensure that [tamper protection](https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-or-manage-tamper-protection) is enabled in Microsoft Defender for Endpoint. - Enable [network protection](https://learn.microsoft.com/en-us/defender-endpoint/enable-network-protection) in Microsoft Defender for Endpoint. - Follow the credential hardening recommendations in the [on-premises credential theft overview](https://security.microsoft.com/threatanalytics3/9382203e-5155-4b5e-af74-21562b1004d5/analystreport) to defend against common credential theft techniques like LSASS access. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference#block-credential-stealing-from-the-windows-local-security-authority-subsystem) LSA protection. - Microsoft Defender XDR customers can turn on the following [attack surface reduction rule](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction) to prevent common attack techniques used for ransomware. - - [Block](https://learn.microsoft.com/en-us/defender-endpoint/attack-sur | Ransomware Malware Tool Threat Conference | ★★★ |